RE: [squid-users] Reverse Proxy and Externally Generated Wildcard SSL Certificates

John,
        I believe what you need to do is export the Certificates from the IIS servers, they will be saved in a .pfx file, which is the PKCS12 format. OpenSSL can convert these into the PEM format that squid supports, these commands will give you the desired output.

Exports the Certificate:
openssl pkcs12 -in server.pfx -out server.crt -nodes -nokeys -clcerts

Exports the Private Key (Note will not be encrypted, store in safe place):
openssl pkcs12 -in server.pfx -out server.key -nodes -nocerts -clcerts

The openssl man page and the pkcs12 man page will have more information about these options if you need them.

Thanks,
     Dean Weimer
     Network Administrator
     Orscheln Management Co

> -----Original Message-----
> From: John Gardner [mailto:John.Gardner_at_southtyneside.gov.uk]
> Sent: Sunday, February 13, 2011 2:13 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Reverse Proxy and Externally Generated Wildcard SSL
> Certificates
>
> Hi everyone. I've got a query about running Squid as a Reverse Proxy that I
> hope someone can answer.
>
> Over the past year, I've been tasked with introducing serveral Squid servers
> into our organisation, most of them so far have been internal Caching
> proxies, but I'm now at the stage where I need to implement a Reverse
> Proxy (RP) in our DMZ.
>
> We're going to offload the SSL onto the RP using a Wildcard SSL Certificate
> and during testing I used the advice here: http://wiki.squid-
> cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate. This was
> great to test everything and worked well. However, now I'm ready to put
> this into a Production environment and I have to deal with the fact that we
> are fundamentally a Windows house.
>
> They have already procured wildcard SSL certificates from Verisign, where
> the original CSR was generated on a Windows server sent off to the CA
> (Verisign) and then then the wildcard certificate returned to us. My question
> is quite simple, how do I import the wildcard certificate into openssl on the
> RP server? All the examples I've seen online assume that you're generating
> the CSR on the proxy server itself but I don't have that luxury unfortunately.
>
> I know this is more of an OpenSSL question rather than pure Squid question,
> I was just hoping that someone on the list has already done this and can give
> me some advice.
>
> Thanks in advance.
>
> John
>
>
> This email and any files transmitted with it are intended solely for the named
> recipient and may contain sensitive, confidential or protectively marked
> material up to the central government classification of ?RESTRICTED" which
> must be handled accordingly. If you have received this e-mail in error, please
> immediately notify the sender by e-mail and delete from your system, unless
> you are the named recipient (or authorised to receive it for the recipient)
> you are not permitted to copy, use, store, publish, disseminate or disclose it
> to anyone else.
>
>
> E-mail transmission cannot be guaranteed to be secure or error-free as it
> could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
> contain viruses and therefore the Council accept no liability for any such
> errors or omissions.
>
>
> Unless explicitly stated otherwise views or opinions expressed in this email
> are solely those of the author and do not necessarily represent those of the
> Council and are not intended to be legally binding.
>
>
>
> All Council network traffic and GCSX traffic may be subject to recording
> and/or monitoring in accordance with relevant legislation.
>
>
>
> South Tyneside Council, Town Hall & Civic Offices, Westoe Road, South
> Shields, Tyne & Wear, NE33 2RL, Tel: 0191 427 1717, Website:
> www.southtyneside.info
Received on Mon Feb 14 2011 - 13:57:14 MST